johnride/sreez-backstage-demo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b9441613d2
sreez-backstage-demo/sreez-showcase/k8s/k8s-plugin-config.md

2.2 KiB
Raw Blame History

Creating ServiceAccount for Backstage

Create the ServiceAccount itself

$ kubectl create serviceaccount backstage-sa -n default

!!! Role did NOT work (probably a namespace issue), created a clusterRole + binding instead, see below

Create the role

backstage-role.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: backstage-role
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]

$ kubectl apply -f backstage-role.yaml

Bind role to service account

backstage-rolebinding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: backstage-rolebinding
  namespace: default
subjects:
- kind: ServiceAccount
  name: backstage-sa
  namespace: default
roleRef:
  kind: Role
  name: backstage-role
  apiGroup: rbac.authorization.k8s.io

$ kubectl apply -f backstage-rolebinding.yaml

Create the ClusterRole

Create the ClusterRoleBinding

Create a secret token for the service account

backstage-sa-token-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: backstage-sa-token-secret
  annotations:
    kubernetes.io/service-account.name: backstage-sa
type: kubernetes.io/service-account-token

$ kubectl apply -f backstage-sa-token-secret.yaml -n default

Link the secret with the service account

$ oc secrets link backstage-sa backstage-sa-token-secret -n default

Get the service account token

Get the name of the secret (backstage-sa-secret):

$ kubectl get serviceaccount backstage-sa -n default -o jsonpath='{.secrets[0].name}'

get the secret value (the token):

kubectl get secret backstage-sa-secret -n default -o jsonpath='{.data.token}' | base64 --decode

Update app-config

kubernetes:
  serviceLocatorMethod:
    type: 'multiTenant'
  clusterLocatorMethods:
    - type: 'config'
      clusters:
        - url: 'https://api.oc-med.wk.nt.local:6443'
          name: 'WK OKD Cluster'
          authProvider: 'serviceAccount'
          serviceAccountToken: '${KUBERNETES_SERVICE_ACCOUNT_TOKEN}'
          skipTLSVerify: true